Client fingerprinting for information system security

ABSTRACT

Client fingerprints can be used to detect and defend against malware and hacking into information systems more effectively than using IP addresses. A unique client fingerprint can be based on data found in the client&#39;s SSL client hello packet. SSL version, cipher suites, and other fields of the packet can be utilized, preferably utilizing individual field values in the order in which they appear in the packet. The ordered values are converted to decimal values, separated by delimiters, and concatenated to form an identifier string. The identifier string may be mapped, preferably by a hash function, to form the client fingerprint. The client fingerprint may be logged, and whitelists and blacklists may be formed using client fingerprints so formed.

RELATED CASE

None.

COPYRIGHT NOTICE

Copyright 2017 salesforce.com, inc. A portion of the disclosure of thispatent document contains material which is subject to copyrightprotection. The copyright owner has no objection to the facsimilereproduction by anyone of the patent document or the patent disclosure,as it appears in the United States Patent and Trademark Office patentfile or records, but otherwise reserves all copyright rights whatsoever.

TECHNICAL FIELD

The technology relates to information system security improvements bymanaging access by remote clients.

BACKGROUND

Historically, access to information systems may be limited to authorizedusers or clients. Clients may be identified by various means, forexample, IP address, and client identifiers may be used to permit, orconversely deny, access to an information system. The need remains forimprovements in client identification to improve information systemsecurity robustness and performance.

BRIEF DESCRIPTION OF THE DRAWINGS

The included drawings are for illustrative purposes and serve to provideexamples of possible structures and operations for the disclosedinventive systems, apparatus, methods and computer-readable storagemedia. These drawings in no way limit any changes in form and detailthat may be made by one skilled in the art without departing from thespirit and scope of the disclosed implementations.

FIG. 1A shows a block diagram of an example environment in which anon-demand database service can be used according to someimplementations.

FIG. 1B shows a block diagram of example implementations of elements ofFIG. 1A and example interconnections among these elements according tosome implementations.

FIG. 2 shows a simplified block diagram of example implementations inwhich an SSL fingerprint system is provisioned in an information systemconsistent with the present disclosure.

FIG. 3 shows a simplified flow diagram of an example process forfingerprinting a client based on a Transport Layer Security (TLS) clienthello packet.

FIG. 4 shows a simplified flow diagram of an example process forgenerating a client identifier string based on aspects of a client hellopacket.

FIG. 5 is a simplified conceptual diagram illustrating a more detailedexample process for generating a client identifier string based onaspects of a client hello packet.

FIG. 6 is a simplified block diagram illustrating selected fields of aTLS client hello packet.

FIG. 7 shows a small sampling of example cipher suites that may belisted in a client hello packet.

DETAILED DESCRIPTION

Examples of systems, apparatus, computer-readable storage media, andmethods according to the disclosed implementations are described in thissection. These examples are being provided solely to add context and aidin the understanding of the disclosed implementations. It will thus beapparent to one skilled in the art that the disclosed implementationsmay be practiced without some or all of the specific details provided.In other instances, certain process or method operations, also referredto herein as “blocks,” have not been described in detail in order toavoid unnecessarily obscuring the disclosed implementations. Otherimplementations and applications also are possible, and as such, thefollowing examples should not be taken as definitive or limiting eitherin scope or setting.

In the following detailed description, references are made to theaccompanying drawings, which form a part of the description and in whichare shown, by way of illustration, specific implementations. Althoughthese disclosed implementations are described in sufficient detail toenable one skilled in the art to practice the implementations, it is tobe understood that these examples are not limiting, such that otherimplementations may be used and changes may be made to the disclosedimplementations without departing from their spirit and scope. Forexample, the blocks of the methods shown and described herein are notnecessarily performed in the order indicated in some otherimplementations. Additionally, in some other implementations, thedisclosed methods may include more or fewer blocks than are described.As another example, some blocks described herein as separate blocks maybe combined in some other implementations. Conversely, what may bedescribed herein as a single block may be implemented in multiple blocksin some other implementations. Additionally, the conjunction “or” isintended herein in the inclusive sense where appropriate unlessotherwise indicated; that is, the phrase “A, B or C” is intended toinclude the possibilities of “A,” “B,” “C,” “A and B,” “B and C,” “A andC” and “A, B and C.”

The common use of IP addresses to control access to a host system, forexample, a database system or application service provider, althoughconvenient, is not reliable and is easily circumvented. Known clientfingerprinting techniques based on the TLS client hello packet are slow,cumbersome and inconvenient. The need remains for techniques tofingerprint SSL clients at line speed with outputs that are easilysearchable, sharable, and for methods that can easily be duplicatedacross different platforms.

I. Example System Overview

FIG. 1A shows a block diagram of an example of an environment 10 inwhich an on-demand database service can be used in accordance with someimplementations. The environment 10 includes user systems 12, a network14, a database system 16 (also referred to herein as a “cloud-basedsystem”), a processor system 17, an application platform 18, a networkinterface 20, tenant database 22 for storing tenant data 23, systemdatabase 24 for storing system data 25, program code 26 for implementingvarious functions of the system 16, and process space 28 for executingdatabase system processes and tenant-specific processes, such as runningapplications as part of an application hosting service. In some otherimplementations, environment 10 may not have all of these components orsystems, or may have other components or systems instead of, or inaddition to, those listed above.

In some implementations, the environment 10 is an environment in whichan on-demand database service exists. An on-demand database service,such as that which can be implemented using the system 16, is a servicethat is made available to users outside of the enterprise(s) that own,maintain or provide access to the system 16. As described above, suchusers generally do not need to be concerned with building or maintainingthe system 16. Instead, resources provided by the system 16 may beavailable for such users' use when the users need services provided bythe system 16; that is, on the demand of the users. Some on-demanddatabase services can store information from one or more tenants intotables of a common database image to form a multi-tenant database system(MTS). The term “multi-tenant database system” can refer to thosesystems in which various elements of hardware and software of a databasesystem may be shared by one or more customers or tenants. For example, agiven application server may simultaneously process requests for a greatnumber of customers, and a given database table may store rows of datasuch as feed items for a potentially much greater number of customers. Adatabase image can include one or more database objects. A relationaldatabase management system (RDBMS) or the equivalent can execute storageand retrieval of information against the database object(s).

Application platform 18 can be a framework that allows the applicationsof system 16 to execute, such as the hardware or software infrastructureof the system 16. In some implementations, the application platform 18enables the creation, management and execution of one or moreapplications developed by the provider of the on-demand databaseservice, users accessing the on-demand database service via user systems12, or third party application developers accessing the on-demanddatabase service via user systems 12.

In some implementations, the system 16 implements a web-based customerrelationship management (CRM) system. For example, in some suchimplementations, the system 16 includes application servers configuredto implement and execute CRM software applications as well as providerelated data, code, forms, renderable web pages and documents and otherinformation to and from user systems 12 and to store to, and retrievefrom, a database system related data, objects, and Web page content. Insome MTS implementations, data for multiple tenants may be stored in thesame physical database object in tenant database 22. In some suchimplementations, tenant data is arranged in the storage medium(s) oftenant database 22 so that data of one tenant is kept logically separatefrom that of other tenants so that one tenant does not have access toanother tenant's data, unless such data is expressly shared. The system16 also implements applications other than, or in addition to, a CRMapplication. For example, the system 16 can provide tenant access tomultiple hosted (standard and custom) applications, including a CRMapplication. User (or third party developer) applications, which may ormay not include CRM, may be supported by the application platform 18.The application platform 18 manages the creation and storage of theapplications into one or more database objects and the execution of theapplications in one or more virtual machines in the process space of thesystem 16.

According to some implementations, each system 16 is configured toprovide web pages, forms, applications, data and media content to user(client) systems 12 to support the access by user systems 12 as tenantsof system 16. As such, system 16 provides security mechanisms to keepeach tenant's data separate unless the data is shared. If more than oneMTS is used, they may be located in close proximity to one another (forexample, in a server farm located in a single building or campus), orthey may be distributed at locations remote from one another (forexample, one or more servers located in city A and one or more serverslocated in city B). As used herein, each MTS could include one or morelogically or physically connected servers distributed locally or acrossone or more geographic locations. Additionally, the term “server” ismeant to refer to a computing device or system, including processinghardware and process space(s), an associated storage medium such as amemory device or database, and, in some instances, a databaseapplication (for example, OODBMS or RDBMS) as is well known in the art.It should also be understood that “server system” and “server” are oftenused interchangeably herein. Similarly, the database objects describedherein can be implemented as part of a single database, a distributeddatabase, a collection of distributed databases, a database withredundant online or offline backups or other redundancies, etc., and caninclude a distributed database or storage network and associatedprocessing intelligence.

The network 14 can be or include any network or combination of networksof systems or devices that communicate with one another. For example,the network 14 can be or include any one or any combination of a LAN(local area network), WAN (wide area network), telephone network,wireless network, cellular network, point-to-point network, starnetwork, token ring network, hub network, or other appropriateconfiguration. The network 14 can include a TCP/IP (Transfer ControlProtocol and Internet Protocol) network, such as the global internetworkof networks often referred to as the “Internet” (with a capital “I”).The Internet will be used in many of the examples herein. However, itshould be understood that the networks that the disclosedimplementations can use are not so limited, although TCP/IP is afrequently implemented protocol.

The user systems 12 can communicate with system 16 using TCP/IP and, ata higher network level, other common Internet protocols to communicate,such as HTTP, FTP, AFS, WAP, etc. In an example where HTTP is used, eachuser system 12 can include an HTTP client commonly referred to as a “webbrowser” or simply a “browser” for sending and receiving HTTP signals toand from an HTTP server of the system 16. Such an HTTP server can beimplemented as the sole network interface 20 between the system 16 andthe network 14, but other techniques can be used in addition to orinstead of these techniques. In some implementations, the networkinterface 20 between the system 16 and the network 14 includes loadsharing functionality, such as round-robin HTTP request distributors tobalance loads and distribute incoming HTTP requests evenly over a numberof servers. In MTS implementations, each of the servers can have accessto the MTS data; however, other alternative configurations may be usedinstead.

The user systems 12 can be implemented as any computing device(s) orother data processing apparatus or systems usable by users to access thedatabase system 16. For example, any of user systems 12 can be a desktopcomputer, a work station, a laptop computer, a tablet computer, ahandheld computing device, a mobile cellular phone (for example, a“smartphone”), or any other Wi-Fi-enabled device, wireless accessprotocol (WAP)-enabled device, or other computing device capable ofinterfacing directly or indirectly to the Internet or other network. Theterms “user system” and “computing device” are used interchangeablyherein with one another and with the term “computer.” As describedabove, each user system 12 typically executes an HTTP client, forexample, a web browsing (or simply “browsing”) program, such as a webbrowser based on the WebKit platform, Microsoft's Internet Explorerbrowser, Apple's Safari, Google's Chrome, Opera's browser, or Mozilla'sFirefox browser, or the like, allowing a user (for example, a subscriberof on-demand services provided by the system 16) of the user system 12to access, process and view information, pages and applicationsavailable to it from the system 16 over the network 14.

Each user system 12 also typically includes one or more user inputdevices, such as a keyboard, a mouse, a trackball, a touch pad, a touchscreen, a pen or stylus or the like, for interacting with a graphicaluser interface (GUI) provided by the browser on a display (for example,a monitor screen, liquid crystal display (LCD), light-emitting diode(LED) display, among other possibilities) of the user system 12 inconjunction with pages, forms, applications and other informationprovided by the system 16 or other systems or servers. For example, theuser interface device can be used to access data and applications hostedby system 16, and to perform searches on stored data, and otherwiseallow a user to interact with various GUI pages that may be presented toa user. As discussed above, implementations are suitable for use withthe Internet, although other networks can be used instead of or inaddition to the Internet, such as an intranet, an extranet, a virtualprivate network (VPN), a non-TCP/IP based network, any LAN or WAN or thelike.

The users of user systems 12 may differ in their respective capacities,and the capacity of a particular user system 12 can be entirelydetermined by permissions (permission levels) for the current user ofsuch user system. For example, where a salesperson is using a particularuser system 12 to interact with the system 16, that user system can havethe capacities allotted to the salesperson. However, while anadministrator is using that user system 12 to interact with the system16, that user system can have the capacities allotted to thatadministrator. Where a hierarchical role model is used, users at onepermission level can have access to applications, data, and databaseinformation accessible by a lower permission level user, but may nothave access to certain applications, database information, and dataaccessible by a user at a higher permission level. Thus, different usersgenerally will have different capabilities with regard to accessing andmodifying application and database information, depending on the users'respective security or permission levels (also referred to as“authorizations”).

According to some implementations, each user system 12 and some or allof its components are operator-configurable using applications, such asa browser, including computer code executed using a central processingunit (CPU) such as an Intel Pentium® processor or the like. Similarly,the system 16 (and additional instances of an MTS, where more than oneis present) and all of its components can be operator-configurable usingapplication(s) including computer code to run using the processor system17, which may be implemented to include a CPU, which may include anIntel Pentium® processor or the like, or multiple CPUs.

The system 16 includes tangible computer-readable media havingnon-transitory instructions stored thereon/in that are executable by orused to program a server or other computing system (or collection ofsuch servers or computing systems) to perform some of the implementationof processes described herein. For example, computer program code 26 canimplement instructions for operating and configuring the system 16 tointercommunicate and to process web pages, applications and other dataand media content as described herein. In some implementations, thecomputer code 26 can be downloadable and stored on a hard disk, but theentire program code, or portions thereof, also can be stored in anyother volatile or non-volatile memory medium or device as is well known,such as a ROM or RAM, or provided on any media capable of storingprogram code, such as any type of rotating media including floppy disks,optical discs, digital versatile disks (DVD), compact disks (CD),microdrives, and magneto-optical disks, and magnetic or optical cards,nanosystems (including molecular memory ICs), or any other type ofcomputer-readable medium or device suitable for storing instructions ordata. Additionally, the entire program code, or portions thereof, may betransmitted and downloaded from a software source over a transmissionmedium, for example, over the Internet, or from another server, as iswell known, or transmitted over any other existing network connection asis well known (for example, extranet, VPN, LAN, etc.) using anycommunication medium and protocols (for example, TCP/IP, HTTP, HTTPS,Ethernet, etc.) as are well known. It will also be appreciated thatcomputer code for the disclosed implementations can be realized in anyprogramming language that can be executed on a server or other computingsystem such as, for example, C, C++, HTML, any other markup language,Java™, JavaScript, ActiveX, any other scripting language, such asVBScript, and many other programming languages as are well known may beused. (Java™ is a trademark of Sun Microsystems, Inc.).

FIG. 1B shows a block diagram of example implementations of elements ofFIG. 1A and example interconnections between these elements according tosome implementations. That is, FIG. 1B also illustrates environment 10,but FIG. 1B, various elements of the system 16 and variousinterconnections between such elements are shown with more specificityaccording to some more specific implementations. Additionally, in FIG.1B, the user system 12 includes a processor system 12A, a memory system12B, an input system 12C, and an output system 12D. The processor system12A can include any suitable combination of one or more processors. Thememory system 12B can include any suitable combination of one or morememory devices. The input system 12C can include any suitablecombination of input devices, such as one or more touchscreeninterfaces, keyboards, mice, trackballs, scanners, cameras, orinterfaces to networks. The output system 12D can include any suitablecombination of output devices, such as one or more display devices,printers, or interfaces to networks.

In FIG. 1B, the network interface 20 is implemented as a set of HTTPapplication servers 100 ₁-100 _(N). Each application server 100, alsoreferred to herein as an “app server”, is configured to communicate withtenant database 22 and the tenant data 23 therein, as well as systemdatabase 24 and the system data 25 therein, to serve requests receivedfrom the user systems 12. The tenant data 23 can be divided intoindividual tenant storage spaces 40, which can be physically orlogically arranged or divided. Within each tenant storage space 40, userstorage 42 and application metadata 44 can similarly be allocated foreach user. For example, a copy of a user's most recently used (MRU)items can be stored to user storage 42. Similarly, a copy of MRU itemsfor an entire organization that is a tenant can be stored to tenantstorage space 40.

The process space 28 includes system process space 102, individualtenant process spaces 48 and a tenant management process space 46. Theapplication platform 18 includes an application setup mechanism 38 thatsupports application developers' creation and management ofapplications. Such applications and others can be saved as metadata intotenant database 22 by save routines 36 for execution by subscribers asone or more tenant process spaces 48 managed by tenant managementprocess 46, for example. Invocations to such applications can be codedusing PL/SOQL 34, which provides a programming language style interfaceextension to API 32. A detailed description of some PL/SOQL languageimplementations is discussed in commonly assigned U.S. Pat. No.7,730,478, titled METHOD AND SYSTEM FOR ALLOWING ACCESS TO DEVELOPEDAPPLICATIONS VIA A MULTI-TENANT ON-DEMAND DATABASE SERVICE, by CraigWeissman, issued on Jun. 1, 2010, and hereby incorporated by referencein its entirety and for all purposes. Invocations to applications can bedetected by one or more system processes, which manage retrievingapplication metadata 44 for the subscriber making the invocation andexecuting the metadata as an application in a virtual machine.

The system 16 of FIG. 1B also includes a user interface (UI) 30 and anapplication programming interface (API) 32 to system 16 residentprocesses to users or developers at user systems 12. In some otherimplementations, the environment 10 may not have the same elements asthose listed above or may have other elements instead of, or in additionto, those listed above.

Each application server 100 can be communicably coupled with tenantdatabase 22 and system database 24, for example, having access to tenantdata 23 and system data 25, respectively, via a different networkconnection. For example, one application server 100 ₁ can be coupled viathe network 14 (for example, the Internet), another application server100 _(N-1) can be coupled via a direct network link, and anotherapplication server 100 _(N) can be coupled by yet a different networkconnection. Transfer Control Protocol and Internet Protocol (TCP/IP) areexamples of typical protocols that can be used for communicating betweenapplication servers 100 and the system 16. However, it will be apparentto one skilled in the art that other transport protocols can be used tooptimize the system 16 depending on the network interconnections used.

In some implementations, each application server 100 is configured tohandle requests for any user associated with any organization that is atenant of the system 16. Because it can be desirable to be able to addand remove application servers 100 from the server pool at any time andfor various reasons, in some implementations there is no server affinityfor a user or organization to a specific application server 100. In somesuch implementations, an interface system implementing a load balancingfunction (for example, an F5 Big-IP load balancer) is communicablycoupled between the application servers 100 and the user systems 12 todistribute requests to the application servers 100. In oneimplementation, the load balancer uses a least-connections algorithm toroute user requests to the application servers 100. Other examples ofload balancing algorithms, such as round robin andobserved-response-time, also can be used. For example, in someinstances, three consecutive requests from the same user could hit threedifferent application servers 100, and three requests from differentusers could hit the same application server 100. In this manner, by wayof example, system 16 can be a multi-tenant system in which system 16handles storage of, and access to, different objects, data andapplications across disparate users and organizations.

In one example storage use case, one tenant can be a company thatemploys a sales force where each salesperson uses system 16 to manageaspects of their sales. A user can maintain contact data, leads data,customer follow-up data, performance data, goals and progress data,etc., all applicable to that user's personal sales process (for example,in tenant database 22). In an example of a MTS arrangement, because allof the data and the applications to access, view, modify, report,transmit, calculate, etc., can be maintained and accessed by a usersystem 12 having little more than network access, the user can managehis or her sales efforts and cycles from any of many different usersystems. For example, when a salesperson is visiting a customer and thecustomer has Internet access in their lobby, the salesperson can obtaincritical updates regarding that customer while waiting for the customerto arrive in the lobby.

While each user's data can be stored separately from other users' dataregardless of the employers of each user, some data can beorganization-wide data shared or accessible by several users or all ofthe users for a given organization that is a tenant. Thus, there can besome data structures managed by system 16 that are allocated at thetenant level while other data structures can be managed at the userlevel. Because an MTS can support multiple tenants including possiblecompetitors, the MTS can have security protocols that keep data,applications, and application use separate. Also, because many tenantsmay opt for access to an MTS rather than maintain their own system,redundancy, up-time, and backup are additional functions that can beimplemented in the MTS. In addition to user-specific data andtenant-specific data, the system 16 also can maintain system level datausable by multiple tenants or other data. Such system level data caninclude industry reports, news, postings, and the like that are sharableamong tenants.

In some implementations, the user systems 12 (which also can be clientsystems) communicate with the application servers 100 to request andupdate system-level and tenant-level data from the system 16. Suchrequests and updates can involve sending one or more queries to tenantdatabase 22 or system database 24. The system 16 (for example, anapplication server 100 in the system 16) can automatically generate oneor more SQL statements (for example, one or more SQL queries) designedto access the desired information. System database 24 can generate queryplans to access the requested data from the database. The term “queryplan” generally refers to one or more operations used to accessinformation in a database system.

Each database can generally be viewed as a collection of objects, suchas a set of logical tables, containing data fitted into predefined orcustomizable categories. A “table” is one representation of a dataobject, and may be used herein to simplify the conceptual description ofobjects and custom objects according to some implementations. It shouldbe understood that “table” and “object” may be used interchangeablyherein. Each table generally contains one or more data categorieslogically arranged as columns or fields in a viewable schema. Each rowor element of a table can contain an instance of data for each categorydefined by the fields. For example, a CRM database can include a tablethat describes a customer with fields for basic contact information suchas name, address, phone number, fax number, etc. Another table candescribe a purchase order, including fields for information such ascustomer, product, sale price, date, etc. In some MTS implementations,standard entity tables can be provided for use by all tenants. For CRMdatabase applications, such standard entities can include tables forcase, account, contact, lead, and opportunity data objects, eachcontaining pre-defined fields. As used herein, the term “entity” alsomay be used interchangeably with “object” and “table.”

In some MTS implementations, tenants are allowed to create and storecustom objects, or may be allowed to customize standard entities orobjects, for example by creating custom fields for standard objects,including custom index fields. Commonly assigned U.S. Pat. No.7,779,039, titled CUSTOM ENTITIES AND FIELDS IN A MULTI-TENANT DATABASESYSTEM, by Weissman et al., issued on Aug. 17, 2010, and herebyincorporated by reference in its entirety and for all purposes, teachessystems and methods for creating custom objects as well as customizingstandard objects in a multi-tenant database system. In someimplementations, for example, all custom entity data rows are stored ina single multi-tenant physical table, which may contain multiple logicaltables per organization. It is transparent to customers that theirmultiple “tables” are in fact stored in one large table or that theirdata may be stored in the same table as the data of other customers.

II. Fingerprinting SSL Clients

FIG. 2 shows a simplified block diagram of example implementations inwhich an SSL fingerprint system 205 is provisioned in a database service16 for user authentication. Preferably, the fingerprint system may beimplemented in software as further described later. In one example, itmay be realized in a script or scripting language such as Broscript.“Bro” is an open source Unix based network security monitoringframework, see https://bro.org

Selected elements of FIGS. 1A and 1B are shown in FIG. 2, with thereference numbers retained. A fingerprint system 205 may be coupled to afingerprint database system 210. The database 210 may be configured tostore client fingerprints generated by the system 205 based on SSLclient sessions that traverse the network 14 from a client 220 to accessthe system 16 as explained in more detail below. The database system 210may be configured to include metadata for at least some of the storedfingerprint records, for example, indicating timestamps, IP address, ora security indicator such as “OK” (permit access), “Block Access,”“Suspicious” etc. These particular labels are not critical and manyother indicators may be used. The concept is to enable storing securityindicators to better control access to an information system such assystem 16. In some embodiments, Broscripts can be used to raise analert, or execute commands such as writing to or updating clientfingerprint information in the database system 210.

In some embodiments, a database such as 210 may be used to generate ormaintain a blacklist of clients (identified by fingerprints as describedherein) to be denied access to an information system as they present asecurity risk. The database or the blacklist may be amended by importingdata from other networks or other network security resources.Conversely, a blacklist may be exported to others systems for their use.Such information, both blacklists and known good (“whitelist”) data maybe distributed throughout the security industry to everyone's benefit.

TLS and its predecessor SSL (Secure Sockets Layer) is the standardsecurity technology or protocol for establishing an encrypted linkbetween a web server and a browser or other client. This link isdesigned to ensure that all data passed between the server and theclient remain confidential. In most online implementations, the ‘client’is an internet browser and the ‘server’ is a website to which thebrowser is connected, but the present disclosure is not so limited. Itis applicable to any program that creates a connection to a server. Itcan be used to identify mobile apps, for example. Fundamentally, SSLworks by utilizing certificates and encryption. A web page will display“https://” instead of “http://” before the website's address in thebrowser's address bar when SSL is in use.

The basic unit of data in SSL is a record. There are generally fiverecord types in SSL, one of which is handshake records. Among thehandshake records is the client hello. The Client Hello sends theseattributes to the server:

-   -   1. Protocol Version: The version of the SSL protocol by which        the client wishes to communicate during this session.    -   2. Session ID: The ID of a session the client wishes to use for        this connection.    -   3. Cipher Suite: This is passed from the client to the server in        the Client Hello message. It contains the combinations of        cryptographic algorithms supported by the client in order of the        client's preference (first choice first). Each cipher suite        defines both a key exchange algorithm and a cipher        specification. The server selects at least one of the cipher        suites or, if no acceptable choices are presented, returns a        handshake failure alert and closes the connection.    -   4. Compression Method: Includes a list of compression algorithms        supported by the client. If the server does not support any        method sent by the client, the connection fails. The compression        method can also be null.    -   5. Extensions. A variety of extensions can be used to add        functionality to TLS. See RFC 4366. In an example, the supported        elliptical curves discussed below may be implemented as a TLS        extension. Other extensions, for example, SessionTicket's and        renegotiation, may be used as described herein, and combined        with other selected data in forming the client fingerprint.

The Cipher Suite is of particular interest here. Each cipher suitelisted defines both a key exchange algorithm and a cipher specification,and there are many possible combinations. For example, there are over300 standard cipher suites listed in the TLS cipher suite registry. FIG.7 shows just a small sample clipped from the registry. Some popularbrowsers list 15 or 20 ciphers in their client hello packet. Additionalfields of interest are described below.

FIG. 3 shows a simplified flow diagram of an example process forfingerprinting a client based on a Transport Layer Security (TLS) or SSLclient hello packet. The first step calls for monitoring packet datatraffic over a network, step 302. Various tools such as Bro are knownfor this function. Another option may be Wireshark, a network packetanalyzer. Next is detecting a client hello packet CHP received from aclient seeking to begin a session, step 304. The client hello packet issent in clear text to the server as the session is not yet encrypted.Indeed, much of the client hello packet is information needed to agreeon encryption protocols to be used. The process then extracts selecteddata from the CHP at step 306. Specific examples are given below. Atstep 308, the method processes the extracted data to form a client IDstring. Next, the client ID string is mapped to form a clientfingerprint. Because of the wide variety of the information extractedfrom the CHP, from one client to another, the resulting client IDstring, and the correspond fingerprint, will be unique for all practicalpurposes. In some embodiments, the mapping of step 310 may apply a hashfunction to the client ID to form the client fingerprint. In oneembodiment, the hash function may return a fingerprint (a string ofcharacters) 32 characters long. This length is not critical, but it isadvantageous as it is easy to use in a variety of software tools.Finally, the fingerprint may be logged in a database. Post investigationof the database can be conducted, i.e. analysis to look for patternsthat could reveal suspicious traffic, leveraging the client fingerprintsas reliable, unique identifiers.

FIG. 6 shows a simplified block diagram representing the relevant CHPfields in the order in which they appear. First is the SSL version 602.Next, 604 represents a series of cipher suites, having values Cipher1 toCipher L. The number of values (Cipher suites) listed may vary byclient. Some clients may list only a few, while others may list scoresof cipher suites. At 606 there may be zero or more Extensions listed,1-M. These refer to TLS extensions described in RFC 3546, TransportLayer Security (TLS) Extensions. At 608, the packet may include zero ormore elliptic curve identifiers, numbered 1-N. These refer to EllipticCurve Cryptography (ECC), a relatively new public key cryptographytechnology that may be used in TLS. See RFC 4492, Elliptic CurveCryptography (ECC) Cipher Suites for Transport Layer Security (TLS).That document it specifies the use of Elliptic Curve Diffie-Hellman(ECDH) key agreement in a TLS handshake and the use of Elliptic CurveDigital Signature Algorithm (ECDSA) as a new authentication mechanism.

Finally, indicated at 610, the packet may include zero or more EllipticCurve Formats, numbered 1-Q in the drawings. Some packets may not havevalues for all of these fields. The order of the values within a givenfield, say the cipher suites identifiers, is significant. Recall theyare arranged in order of preference by the client. Consequently, evenwhere two clients list an identical set of cipher suites in theirrespective client hello packets, the order may be different, and thatorder will lead to an entirely different client fingerprint.

FIG. 4 shows a simplified flow diagram of another example process forgenerating a client identifier string based on aspects of a client hellopacket. The process begins with identifying a selected series of fieldsin the CHP, step 402. The selected fields may include an SSL versionidentifier, a series of cipher suites identifiers, a series of extensionidentifiers, etc. Other fields may include elliptic curves cipher suitesand elliptic curve formats. Referring again to FIG. 4, at step 404, fora selected field, the process converts each listed value (in hex) to acorresponding decimal value. The original order of the values preferablyis maintained, or a different but defined order may be used. Apredetermined delimiter may be inserted in between each of the decimalvalues, step 406. Next, the process calls for concatenating the decimalvalues, and the inserted delimiters, to form a field result string, step408. For example, a cipher suites field result string, or an extensionfield result string. If a field has no values, delimiters are persisted(see example below). For a single-valued field, namely the SSL version,the decimal equivalent becomes the field result string in this context.After a given field result string is generated, step the process testswhether another field in the packet is not yet processed, decision 410.If so, the process loops to 404 and processes the next field, preferablyin the order in which they appear in the CHP. Each field results in acorresponding field result string at 408. Finally, at step 412, all ofthe field result strings are concatenated, with a second predetermineddelimiter inserted in between each of the field result strings, to forma complete client identifier string. This identifier string may behashed to form a corresponding client fingerprint.

FIG. 5 is a simplified flow diagram illustrating a more detailed exampleprocess for generating a client identifier string based on aspects of aclient hello packet. In this example, the process calls for extractingan SSL Version identifier from the packet, step 502; converting theidentifier of the SSL Version to a corresponding decimal value, step504; extracting each of the Cipher Suite identifiers from the packet inorder, step 506; converting each of the cipher suite ids into decimalvalues, step 508; extracting each of the extensions from the packet inorder, step 510; converting each of the extension ids into decimalvalues, step 512; extracting each of the elliptic curves from the packetin order, step 514; converting each of the elliptic curves into decimalvalues, step 516; extracting elliptical curve formats from the packet inorder, step 520; converting each of the elliptical curve format ids intodecimal values, step 522; concatenate the SSL version digital value andthe cipher suite decimal values and the extension decimal values and theelliptic curve decimal values and the elliptic curve format decimalvalues, in the order given in the packet, inserting a first delimiterbetween each field and a second delimiter between each value within afield, to form a string, step 530; applying a hash function to formclient fingerprint, step 536; and storing the client fingerprint, step540.

Example

In this example, a process takes the decimal value of the hex charactersin the SSL Client Hello, concatenates certain values together, in order,delimited by a “,” for each field and a “-” for each value. The order isshown below. A different order may be used, as long as the selectedalgorithm is applied consistently.

SSLVersion,Cipher1-Cipher2-CipherL,Extension1-ExtensionM,EllipticCurve1-EllipticCurveN,EllipticCurveFormat1-EllipticCurveFormatQ

Specific Example; Content of CHP, with values converted to decimal:

769,47-53-5-10-49161-49162-49171-49172-50-56-19-4,0-10-11,23-24-25,0

Above, we can see 769 is the SSL version, converted to decimal. Then aseries of cipher suites are listed, again each of them having anidentifier converted to a decimal equivalent. There are 12 valueslisted, delimited by hyphens, while the field is delimited by commas.The next (third) field is the Extensions; here identified by decimalequivalents 0-10-11, again delimited by commas. The last two fields ofinterest are Elliptic Curves (23-24-25) and Elliptic Field Formats (0).

If there are no SSL Extensions in the Client Hello, the “,” delimiterspersist. Here is an example of the concatenated decimal string:

769,4-45-510-109-9100-10098-983-36-619-1918-1899-99,,,

Next these strings are hashed, preferably using the MD5 algorithm, toproduce the SSL Client Fingerprint. It is 128 bits long or 32 hexcharacters.

769,47-53-5-10-49161-49162-49171-49172-50-56-19-4,0-10-11,23-24-25,0==ada70206e40642a3e4461f35503241d5

In the other case, using only the SSL version and cipher suites:

769,4-5-10-9-100-98-3-6-19-18-99,,,==de35086968c85de67a350c8d186f11e6

The specific details of the specific aspects of implementationsdisclosed herein may be combined in any suitable manner withoutdeparting from the spirit and scope of the disclosed implementations.However, other implementations may be directed to specificimplementations relating to each individual aspect, or specificcombinations of these individual aspects. Additionally, while thedisclosed examples are often described herein with reference to animplementation in which an on-demand database service environment isimplemented in a system having an application server providing a frontend for an on-demand database service capable of supporting multipletenants, the present implementations are not limited to multi-tenantdatabases or deployment on application servers. Implementations may bepracticed using other database architectures, i.e., ORACLE®, DB2® by IBMand the like without departing from the scope of the implementationsclaimed.

It should also be understood that some of the disclosed implementationscan be embodied in the form of various types of hardware, software,firmware, or combinations thereof, including in the form of controllogic, and using such hardware or software in a modular or integratedmanner. Other ways or methods are possible using hardware and acombination of hardware and software. Additionally, any of the softwarecomponents or functions described in this application can be implementedas software code to be executed by one or more processors using anysuitable computer language such as, for example, Java, C++ or Perlusing, for example, existing or object-oriented techniques. The softwarecode can be stored as a computer- or processor-executable instructionsor commands on a physical non-transitory computer-readable medium.Examples of suitable media include random access memory (RAM), read onlymemory (ROM), magnetic media such as a hard-drive or a floppy disk, oran optical medium such as a compact disk (CD) or DVD (digital versatiledisk), flash memory, and the like, or any combination of such storage ortransmission devices. Computer-readable media encoded with thesoftware/program code may be packaged with a compatible device orprovided separately from other devices (for example, via Internetdownload). Any such computer-readable medium may reside on or within asingle computing device or an entire computer system, and may be amongother computer-readable media within a system or network. A computersystem, or other computing device, may include a monitor, printer, orother suitable display for providing any of the results mentioned hereinto a user.

While some implementations have been described herein, it should beunderstood that they have been presented by way of example only, and notlimitation. Thus, the breadth and scope of the present applicationshould not be limited by any of the implementations described herein,but should be defined only in accordance with the following andlater-submitted claims and their equivalents.

1. A computer-implemented method for a database system, comprising:monitoring packet data traffic on a network connection to the databasesystem, to detect a Client Hello packet (CHP) received from a cliententity over the network; analyzing the CHP including— extractingselected data from the CHP; processing the selected data to form an SSLclient identifier string; applying a selected hash function to the SSLclient identifier string to form an SSL client fingerprint; and loggingthe SSL client fingerprint in a database.
 2. The method of claim 1wherein: the extracted data comprises a series of fields in the CHP,each of the fields containing zero or more hex values; and processingthe selected data includes— for each of the series of fields, convertingeach of the hex values into a corresponding decimal value, inserting avalue delimiter between the decimal values, and concatenating thedecimal values and the value delimiters in an order in which the valuesappear in the field, to form a field result string; and concatenatingthe field result strings to form the SSL client identifier string. 3.The method of claim 2 wherein concatenating the field result stringsincludes arranging the field results in a sequence based on an order inwhich the fields are listed in the CHP, and inserting a predeterminedfield delimiter after each field result string prior to concatenatingthe field result strings.
 4. The method of claim 3 wherein the selecteddata fields comprise: an SSL Version field, a cipher suite field, and anextension field.
 5. The method of claim 4 wherein the fields furthercomprise an elliptic curve field.
 6. The method of claim 2 whereinprocessing the extracted data further includes inserting a fielddelimiter after each field in the SSL client identifier string; andconcatenating the fields and the field delimiters to form the SSL clientidentifier string.
 7. The method of claim 6 wherein processing theextracted data further includes inserting a value delimiter after eachdecimal value within a field of the SSL client identifier string.
 8. Themethod of claim 2 wherein the selected hash function is an MD5 hashfunction.
 9. The method of claim 2 wherein processing the extracted datafurther includes persisting at least one field delimiter in the SSLclient identifier string in the absence of data in the CHP for acorresponding field.
 10. The method of claim 1 and further comprising:receiving a security indication for a specified SSL client fingerprint;and updating the database based on the security indication.
 11. Themethod of claim 1 and further comprising: extracting data from thedatabase to form a log of SSL client fingerprints that identify clientsthat accessed the database system.
 12. A non-transitory, computerreadable medium storing instructions executable by a processor to causethe processor to realize a client fingerprinting component, includingcarrying out the steps of: receiving an indication of a detected ClientHello packet (CHP) on a network wire, and analyzing the CHP including—extracting selected data from the CHP; processing the selected data toform an SSL client identifier string; applying a selected hash functionto the SSL client identifier string to form an SSL client fingerprint;and logging the SSL client fingerprint in a database.
 13. The computerreadable medium of claim 12 wherein: the selected data comprises aseries of fields in the CHP, each of the fields containing zero or morevalues; and processing the selected data includes— for each field,converting each of the values into a corresponding decimal value, andconcatenating the decimal values in an order in which the values appearin the field, to form a field result; and concatenating the fieldresults, over all of the fields in the CHP that have at least one value,to form the SSL client identifier string.
 14. The computer readablemedium of claim 13 wherein: concatenating the field results includesarranging the field results in a sequence based on an order in which thefields appear in the CHP, and inserting a field delimiter after eachfield result prior to concatenating the field results.
 15. The computerreadable medium of claim 13 wherein the fields comprise: an SSL Versionfield, a cipher suite field, and an extension field.
 16. The computerreadable medium of claim 15 wherein the fields further comprise anelliptic curve field.
 17. The computer readable medium of claim 15wherein the stored instructions further cause the processor to executethe steps of— receiving a security indication for a specified SSL clientfingerprint; and updating the database based on the security indication.18. The computer readable medium of claim 15 wherein the storedinstructions further cause the processor to extract data from thedatabase to form a list of SSL client fingerprints that identify clientsthat accessed the database system.
 19. A system comprising: aninformation system including a network interface for communications overan external network; a packet analyzer coupled to the network interfaceto examine packet traffic traveling between the information system andthe external network; an SSL fingerprint component coupled to thenetwork packet analyzer to analyze a Client Hello packet captured by thenetwork packet analyzer; wherein the fingerprint component is configuredto generate an SSL client fingerprint based on the Client Hello packet;and a datastore coupled to the fingerprint component for storing the SSLclient fingerprint.
 20. The system of claim 19 wherein the SSLfingerprint component is arranged to generate a blacklist of clientsbased on data stored in the datastore; wherein the blacklist identifieseach the clients by a corresponding SSL client fingerprint, rather thanby an IP address.